Community Area

GINA - Graphical Identification and Authentication DLL

by
Wayne Maples
[Published on 20 April 2004 / Last Updated on 20 April 2004]

Logon to Windows NT is controlled by Winlogon.exe. You
can eliminate the logon with automatic logon , not recommended, or you can modify the
mechanisms used. Some functions handled by winlogon are implemented with a
replaceable DLL. The identification and authentication aspects of Winlogon can
be replaced if an organization wishes to change the default gina, msgina.dll, which provides for account/password authenication
with some other mechanism such as smart-card, biometrics, or PKI. There are
opportunites for significantly improving NT's default authenication process.
Samples GINAs can be found in the SDK's Gina and Ginastub folders under
Mssdk\Samples\WinBase\Security\WinNT.

This kind of twiddling with NT security might be necessary in a high security
environment or you may want to eliminate alt-ctrl-del in a kiosk environment,
but in general I would strongly recommend against this unless you really
understand NT security or you have no need for security. It is possible for
hackers or intruders to use this capability to inappropriately snoop, to capture
any passwords entered on a workstation with a modified gina. See FakeGina on
the NtSecurity.nu site for a working model of this threat. A particular threat
for shared PCs or kiosk PCs with logon requirements (say a company library or
cafeteria open terminal).